Why it matters

LLM APIs are the business model of foundation model companies. Model extraction threatens that model — attackers can create competitive systems at a fraction of training cost.

Advertisement

The architecture

Basic extraction: query the target model with a large dataset; use the responses to fine-tune a smaller model. The smaller model can achieve much of the target's capability.

Adversarial extraction: use carefully-crafted queries that maximize information extraction per query.

Model extraction pipelineQuery targetmany promptsCollect responsesinput/output pairsDistill to student modelsmaller, cheaperWatermarking + rate limits + terms of service enforcement are main defenses
Extraction attack flow.
Advertisement

How it works end to end

Watermarking defenses: subtly bias generation to embed detectable patterns in output. Cannot prevent extraction but enables detection.

Query rate limits: cap queries per account. Slows extraction but doesn't prevent determined attackers.

Behavioral monitoring: detect unusual query patterns that indicate extraction attempts.